summaryrefslogtreecommitdiff
path: root/ymir.nix
diff options
context:
space:
mode:
Diffstat (limited to 'ymir.nix')
-rw-r--r--ymir.nix130
1 files changed, 119 insertions, 11 deletions
diff --git a/ymir.nix b/ymir.nix
index 424ca265..74eb1a39 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -15,10 +15,11 @@ let
15 }; 15 };
16 myDomains = ["dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" 16 myDomains = ["dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
17 "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" 17 "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li"
18 "files.lmu.li" "f.lmu.li" "ymir.lmu.li" "lmu.li" "www.lmu.li" "lists.lmu.li" "l.lmu.li"
19 "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" 18 "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li"
20 "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li" 19 "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li"
21 "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org" 20 "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org"
21 "ymir.kleen.li" "kleen.li" "www.kleen.li"
22 "ymir.nights.email" "nights.email" "www.nights.email"
22 ]; 23 ];
23in rec { 24in rec {
24 imports = 25 imports =
@@ -47,12 +48,14 @@ in rec {
47 nixpkgs.config.packageOverrides = pkgs: 48 nixpkgs.config.packageOverrides = pkgs:
48 rec { 49 rec {
49 prosody = pkgs.callPackage ./customized/prosody.nix ({ 50 prosody = pkgs.callPackage ./customized/prosody.nix ({
50 inherit (pkgs.lua51Packages) luasocket luasec luaexpat luafilesystem luabitop luaevent luazlib; 51 inherit (pkgs.lua51Packages) luasocket luaexpat luafilesystem luabitop luaevent luazlib;
52 luasec = lua5_sec;
51 lua5 = pkgs.lua5_1; 53 lua5 = pkgs.lua5_1;
52 communityModules = ["mod_carbons" "mod_reload_modules"]; 54 communityModules = ["mod_carbons" "mod_reload_modules" "mod_csi" "mod_cloud_notify" "mod_csi_pump" "mod_smacks" "mod_track_muc_joins"];
53 extraModules = [prosodyAuth]; 55 extraModules = [prosodyAuth];
54 extraLibs = [luaPam luaPosix luaSha2]; 56 extraLibs = [luaPam luaPosix luaSha2];
55 }); 57 });
58 lua5_sec = pkgs.lua5_sec.override { lua5 = pkgs.lua5_1; };
56 uwsgi = pkgs.callPackage ./customized/uwsgi.nix { 59 uwsgi = pkgs.callPackage ./customized/uwsgi.nix {
57 extraPlugins = { 60 extraPlugins = {
58 cgi = { 61 cgi = {
@@ -144,6 +147,7 @@ in rec {
144 9418 # git 147 9418 # git
145 64738 # murmur 148 64738 # murmur
146 53 # DNS 149 53 # DNS
150 6523 # Obby
147 ]; 151 ];
148 allowedUDPPorts = [ 64738 # murmur 152 allowedUDPPorts = [ 64738 # murmur
149 53 # DNS 153 53 # DNS
@@ -199,6 +203,7 @@ in rec {
199 "nginx" 203 "nginx"
200 "postfix" 204 "postfix"
201 "murmur" 205 "murmur"
206 "infinoted"
202 ]; 207 ];
203 }; 208 };
204 209
@@ -219,6 +224,10 @@ in rec {
219 "auth_custom" 224 "auth_custom"
220 "carbons" 225 "carbons"
221 "reload_modules" 226 "reload_modules"
227 "smacks"
228 "csi"
229 "csi_pump"
230 "cloud_notify"
222 ]; 231 ];
223 extraConfig = '' 232 extraConfig = ''
224 reload_modules = { "group", "tls" } 233 reload_modules = { "group", "tls" }
@@ -236,7 +245,7 @@ in rec {
236 ''; 245 '';
237 246
238 virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; }) 247 virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; })
239 ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li"]); 248 ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li" "nights.email"]);
240 }; 249 };
241 security.pam.services."xmpp".text = '' 250 security.pam.services."xmpp".text = ''
242 auth requisite pam_succeed_if.so user ingroup xmpp 251 auth requisite pam_succeed_if.so user ingroup xmpp
@@ -348,6 +357,7 @@ in rec {
348 postmasterAlias = ""; rootAlias = ""; extraAliases = ""; 357 postmasterAlias = ""; rootAlias = ""; extraAliases = "";
349 virtual = '' 358 virtual = ''
350 blog@dirty-haskell.org dirty-haskell@lists.yggdrasil.li 359 blog@dirty-haskell.org dirty-haskell@lists.yggdrasil.li
360 @nights.email some@nights.email
351 ''; 361 '';
352 #destination = ["yggdrasil.li" "ymir.yggdrasil.li" "praseodym.org" "ymir.praseodym.org" "141.li" "ymir.141.li" "xmpp.li" "ymir.xmpp.li" "dirty-haskell.org" "explainuxul.de" "www.explainuxul.de" "lmu.li" "www.lmu.li" "localhost.yggdrasil.li" "localhost"]; 362 #destination = ["yggdrasil.li" "ymir.yggdrasil.li" "praseodym.org" "ymir.praseodym.org" "141.li" "ymir.141.li" "xmpp.li" "ymir.xmpp.li" "dirty-haskell.org" "explainuxul.de" "www.explainuxul.de" "lmu.li" "www.lmu.li" "localhost.yggdrasil.li" "localhost"];
353 destination = [''regexp:${pkgs.writeText "destination" '' 363 destination = [''regexp:${pkgs.writeText "destination" ''
@@ -355,8 +365,9 @@ in rec {
355 /\.?praseodym\.org$/ ACCEPT 365 /\.?praseodym\.org$/ ACCEPT
356 /\.?141\.li$/ ACCEPT 366 /\.?141\.li$/ ACCEPT
357 /\.?xmpp\.li$/ ACCEPT 367 /\.?xmpp\.li$/ ACCEPT
368 /\.?kleen\.li$/ ACCEPT
358 /\.?dirty-haskell\.org$/ ACCEPT 369 /\.?dirty-haskell\.org$/ ACCEPT
359 /\.?lmu\.li$/ ACCEPT 370 /\.?nights\.email$/ ACCEPT
360 /\.?yggdrasil$/ ACCEPT 371 /\.?yggdrasil$/ ACCEPT
361 /\.?localdomain$/ ACCEPT 372 /\.?localdomain$/ ACCEPT
362 /^localhost$/ ACCEPT 373 /^localhost$/ ACCEPT
@@ -396,6 +407,8 @@ in rec {
396 /@subs?\.(lists?|l)\./ mlmmj-subs: 407 /@subs?\.(lists?|l)\./ mlmmj-subs:
397 ''} regexp:/srv/mail/transport pipemap:{texthash:/srv/mail/discard,static:{discard:}} 408 ''} regexp:/srv/mail/transport pipemap:{texthash:/srv/mail/discard,static:{discard:}}
398 409
410 local_recipient_maps =
411
399 luser_relay = gkleen+''${local} 412 luser_relay = gkleen+''${local}
400 413
401 # 10 GiB 414 # 10 GiB
@@ -426,7 +439,6 @@ in rec {
426 permit_sasl_authenticated, 439 permit_sasl_authenticated,
427 reject_non_fqdn_helo_hostname, 440 reject_non_fqdn_helo_hostname,
428 reject_invalid_helo_hostname, 441 reject_invalid_helo_hostname,
429 reject_unknown_reverse_client_hostname,
430 reject_unauth_destination, 442 reject_unauth_destination,
431 check_client_access regexp:${pkgs.writeText "spfpolicy" '' 443 check_client_access regexp:${pkgs.writeText "spfpolicy" ''
432 /(^|\.)tu-muenchen\.de$/ DUNNO 444 /(^|\.)tu-muenchen\.de$/ DUNNO
@@ -463,6 +475,16 @@ in rec {
463 475
464 alias_maps = texthash:${pkgs.writeText "aliases" '' 476 alias_maps = texthash:${pkgs.writeText "aliases" ''
465 postmaster gkleen 477 postmaster gkleen
478 webmaster gkleen
479 abuse gkleen
480 noc gkleen
481 security gkleen
482 hostmaster gkleen
483 usenet gkleen
484 news gkleen
485 www gkleen
486 uucp gkleen
487 ftp gkleen
466 root gkleen 488 root gkleen
467 ''} texthash:/srv/mail/spm 489 ''} texthash:/srv/mail/spm
468 490
@@ -478,10 +500,23 @@ in rec {
478 recipient_canonical_classes= envelope_recipient,header_recipient 500 recipient_canonical_classes= envelope_recipient,header_recipient
479 ''; 501 '';
480 extraMasterConf = '' 502 extraMasterConf = ''
481 uucp unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a $sender - $nexthop!rmail ($recipient) 503 uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)
482 mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L /var/spool/lists/''${user} 504 mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L /var/spool/lists/''${user}
483 mlmmj-subs unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj-exposed}/bin/mlmmj-exposed /var/spool/lists/''${user} ''${extension} 505 mlmmj-subs unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj-exposed}/bin/mlmmj-exposed /var/spool/lists/''${user} ''${extension}
484 policy-spf unix - n n - - spawn user=nobody argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf} 506 policy-spf unix - n n - - spawn user=nobody argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf}
507 logEmail unix - n n - 10 pipe flags=Rq user=nobody null_sender= argv=${pkgs.writeScript "logEmail" ''
508 #!${pkgs.stdenv.shell}
509
510 export PATH=${config.security.wrapperDir}:/run/current-system/sw/bin
511
512 mailFile=/tmp/logEmail/$(date +"%F-%H%M%S").$$
513
514 mkdir -p -m 700 /tmp/logEmail
515
516 cat >$mailFile
517
518 sendmail -G -i "$@" <$mailFile
519 ''} -f ''${sender} -- ''${recipient}
485 ''; 520 '';
486 networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; 521 networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"];
487 }; 522 };
@@ -494,6 +529,8 @@ in rec {
494 ".praseodym.org" "praseodym.org" 529 ".praseodym.org" "praseodym.org"
495 ".141.li" "141.li" 530 ".141.li" "141.li"
496 ".xmpp.li" "xmpp.li" 531 ".xmpp.li" "xmpp.li"
532 ".kleen.li" "kleen.li"
533 ".nights.email" "nights.email"
497 ".lmu.li" "lmu.li" 534 ".lmu.li" "lmu.li"
498 ".dirty-haskell.org" "dirty-haskell.org" 535 ".dirty-haskell.org" "dirty-haskell.org"
499 ]; 536 ];
@@ -527,11 +564,23 @@ in rec {
527 selector = "ymir"; 564 selector = "ymir";
528 configFile = builtins.toFile "opendkim.conf" '' 565 configFile = builtins.toFile "opendkim.conf" ''
529 Syslog true 566 Syslog true
530 MTACommand /var/setuid-wrappers/sendmail 567 MTACommand ${config.security.wrapperDir}/sendmail
531 LogResults true 568 LogResults true
532 ''; 569 '';
533 }; 570 };
534 571
572 services.postgrey = {
573 enable = true;
574 socket = {
575 path = "/var/lib/postfix/queue/private/policy-greylist";
576 mode = "0777";
577 };
578 delay = 60;
579 autoWhitelist = 1;
580 maxAge = 7;
581 retryWindow = 1;
582 };
583
535 services.dovecot2 = { 584 services.dovecot2 = {
536 enable = true; 585 enable = true;
537 enableImap = true; 586 enableImap = true;
@@ -606,6 +655,35 @@ in rec {
606 655
607 users.extraGroups."mlmmj" = {}; 656 users.extraGroups."mlmmj" = {};
608 657
658 users.extraGroups."mladmin" = {
659 members = [ "gkleen" ];
660 };
661
662 users.extraGroups."infinoted" = {
663 members = [ "infinoted" "gitolite" ];
664 };
665
666 security.sudo.extraConfig = ''
667 %mladmin ALL=(mlmmj) NOPASSWD: ALL
668 %infinoted ALL=(infinoted) NOPASSWD: ALL
669 '';
670
671 security.polkit = {
672 enable = true;
673 extraConfig = ''
674 polkit.addRule(function(action, subject) {
675 if ( action.id == "org.freedesktop.systemd1.manage-units"
676 && action.lookup("unit") == "infinoted.service"
677 && subject.isInGroup("infinoted")
678 ) {
679 return polkit.Result.YES;
680 }
681 });
682 '';
683 };
684
685 security.wrappers = { "newgrp".source = "${pkgs.shadow}/bin/newgrp"; };
686
609 security.acme = { 687 security.acme = {
610 certs = { 688 certs = {
611 "yggdrasil.li" = { 689 "yggdrasil.li" = {
@@ -616,7 +694,7 @@ in rec {
616 extraDomains = builtins.listToAttrs (builtins.map (name: { inherit name; value = "/srv/www/acme/${name}"; }) myDomains); 694 extraDomains = builtins.listToAttrs (builtins.map (name: { inherit name; value = "/srv/www/acme/${name}"; }) myDomains);
617 postRun = '' 695 postRun = ''
618 systemctl reload nginx.service 696 systemctl reload nginx.service
619 prosodyctl reload 697 ${pkgs.prosody}/bin/prosodyctl reload
620 ''; 698 '';
621 }; 699 };
622 }; 700 };
@@ -627,8 +705,8 @@ in rec {
627 nodeName = "ymir"; 705 nodeName = "ymir";
628 remoteNodes = ["isaac" "hel"]; # legacy name for odin 706 remoteNodes = ["isaac" "hel"]; # legacy name for odin
629 sshUser = { 707 sshUser = {
630 openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin'' 708 openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin''
631 ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWBybBQKbPucqBgULQ1phv7IKFWl1Xc4drkCx3D5mIz uucp@hel'' 709 ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWBybBQKbPucqBgULQ1phv7IKFWl1Xc4drkCx3D5mIz uucp@hel''
632 ]; 710 ];
633 }; 711 };
634 sshConfig = '' 712 sshConfig = ''
@@ -694,4 +772,34 @@ in rec {
694 forward-addr: 10.141.1.1 772 forward-addr: 10.141.1.1
695 ''; 773 '';
696 }; 774 };
775
776 services.infinoted = {
777 enable = true;
778 keyFile = "/var/lib/acme/yggdrasil.li/key.pem";
779 certificateFile = "/var/lib/acme/yggdrasil.li/fullchain.pem";
780 plugins = [ "note-text" "note-chat" "logging" "autosave" "certificate-auth" "directory-sync" ];
781 extraConfig = ''
782 [certificate-auth]
783 ca-list=/var/lib/infinoted/ca.cert.pem
784 ca-key=/var/lib/infinoted/ca.key.pem
785 accept-unauthenticated-clients=true
786
787 [autosave]
788 interval=5
789
790 [directory-sync]
791 directory=/var/lib/infinoted/dirsync
792 interval=5
793 hook=/var/lib/infinoted/git-sync.sh
794 '';
795 };
796
797 users.extraUsers."infinoted" = {
798 home = "/var/lib/infinoted";
799 createHome = true;
800 };
801
802 services.haveged = {
803 enable = true;
804 };
697} 805}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-14 17:35:01 +0000